NE-2183: Openshift conditions on Gateway API status

[rikatz]

This enhancement proposal adds the Ingress Controller Conditions (LoadBalancerManaged, LoadBalancerReady, DNSManaged and DNSReady) to Gateway API resources that created with Openshift Gateway Class and on openshift-ingress namespace.

This proposal was partially generated with the help of Claude/AI

[openshift-ci-robot]

@rikatz: This pull request references NE-2183 which is a valid jira issue.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@rikatz: This pull request references NE-2183 which is a valid jira issue.

In response to this:

This enhancement proposal adds the Ingress Controller Conditions (LoadBalancerManaged, LoadBalancerReady, DNSManaged and DNSReady) to Gateway API resources that created with Openshift Gateway Class and on openshift-ingress namespace.

This proposal was partially generated with the help of Claude/AI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Miciah]

/assign

[candita]

/assign

[candita]

/retest

[rikatz]

the error is valid, it is due to the metadata not containing real approvers and reviewers for now. Once I get some review and approval I can fix it

[alebedev87]

Forgot to add a description to the review. I was about to look at openshift/cluster-ingress-operator#1294 but then recalled that there is an EP. So I started from the EP.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from candita. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• enhancements/ingress/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[candita]

So this means we don't mark IngressController as Degraded if there are problems with the Gateway?

[rikatz]

that's right, this proposal is just about adding conditions to the Gateway resource, not changing anything else

[candita]

Does this mean we mark the IngressController as Degraded if DNSReady and/or LoadBalancerReady are false?

[rikatz]

No, this means that we are moving the conditions function previously used by IngressController only to a common place that can also be reused by Gateway API. It is about the condition calculation functions (given DNSRecord, LoadBalancer service, etc what should be the Gateway resource conditions) but we don't touch IngressController behavior

[candita]

nit: There is a Gateway API dns record creater controller alongside the cluster ingress one.

[rikatz]

right, and it is on Cluster Ingress Operator. Am I missing something more explicit here? (like the package name?)

[openshift-ci]

@rikatz: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[candita]

Is there any reason DNSManaged=False? Maybe reserved for the future, if another DNS management system is selected, such as ExternalDNS?

[rikatz]

From CIO code:

	// In case there is no managed DNS zone configured, return a single condition
	// that DNSManaged=False because no zone is configured

any other specific cases (like IngressController endpointpublishingstrategy) are not verified by Gateway API, so we intentionally skip it.

But managed can yes, be false in case the DNSConfig doesn't specify a proper public or private zone, even on Gateway API

[candita]

Suggested change

	reason `FailedZones` and detailed error message from DNS provider
	reason and error message as detailed in the section on Implementation Details.

[rikatz]

hum, I think it is fine to keep it here. The implementation details are more about "How" we will implement, but it does make sense IMO keeping the conditions that will be used on the failure flow.

[candita]

I remember hearing about a MicroShift integration, handled by MicroShift, so maybe remove the first line?

[candita]

It doesn't watch DNS records? During reconciliation of what object?

[rikatz]

it watches, but these watches are negligible from a resource impact perspective IMO. I am not sure it is worth mentioning it here (also this is related to SNO deployments, so it is not different from other resource impacts considered above)

[candita]

There is a new gateway-status controller mentioned below.

[rikatz]

changed to "* A new gateway-status controller is created on existing Cluster Ingress Operator"

[candita]

What's the reasoning behind only the first matching DNSRecord being used? Why not check all DNSRecords for the Gateway and report if one or more are in a failure status?

[rikatz]

well:

• For services we know that Istio will provision just one Service (of type LoadBalancer) for the Gateway
• For DNS, it is following the same logics from CIO, that receives the "wildcard DNS record" only. Maybe this assumption is wrong for Gateway API, and we should compute the DNS record from all of the provisioned DNS Records (we do watch all of the DNS Records related to the Gateway).

I will fix the EP here, as we need to watch all the DNSRecords from the Gateway, good catch!

[candita]

Is this more precise?

Suggested change

	* Set to `False` with reason `RecordNotFound` when the associated DNSRecord resource cannot be found
	* Set to `False` with reason `RecordNotFound` when one or more of the associated DNSRecord resources cannot be found

[candita]

Why preserve transition times? Transition time should be updated if the condition changes, at least if it changes from true to false or vice versa.

[candita]

I would like to see it say:

Suggested change

	* The cluster-ingress-operator service account is granted RBAC permissions to:
	* The cluster-ingress-operator service account uses existing RBAC permissions to:

[candita]

One more implementation detail - how about making sure the status gets added to the must-gather troubleshooting document?

[candita]

We should make sure that either the messages are clearly indicating that status isn't supported (e.g. "Bare metal clusters don't measure Gateway status"), or that they are at worst Unknown, not False.

[rikatz]

so, what we discussed so far is that as Load balancers are not supported on Bare metal, but we also "do not provide" the Load Balancer managed condition on Gateway API, we will simply feed the "LoadBalancerReady" condition. This condition will reflect the current behavior of CCM / Baremetal provisioner, so let's say you are on baremetal:

• If you have metallb, it will work fine
• If you don't have a Load balancer controller, the status of the LoadBalancerReady condition will be false and the reason will be the LoadBalancer is pending, which means you don't have a LoadBalancer controller on your environment, and reflects the same behavior of CIO.

IMO as we don't have a clear definition yet on bare metal loadbalancer, I think this is the most meaningful information we can provide to users without being misleading, wdyt?

[rikatz]

(also it should be considered that this is the "Drawbacks" section, meaning this may be a known drawback)

[candita]

Maybe also: Test transition times?

[candita]

How about:
Create Gateway with multiple listeners, only one of which can get a successful DNS record. I expect the dns ready status to be False.

[candita]

nit: What does the "both" refer to here?

[rikatz]

halucination, apparently. Let me remove the word

[candita]

The rate-limiting is automatic, no coding needed, right?

[rikatz]

yeah, it is part of the maximum reconciliation that we define, and client-go throttling (or it should).

I am not sure where claude got this, so I would be happy to also remove this line if we feel it may be misleading.

[candita]

This is not necessarily an error condition. Some users may choose to not have DNS be managed.

[candita]

@rikatz Overall I think this looks great. Do you think we should use the generator for other EP/KEP/GEPs?

I have a few nits and questions, and one major question: can you discuss the decision not to propagate condition status up to the ingress controller status? I can see pros and cons for both, but we should document that decision. Thanks.